On October 15, 2010, the Article 29 Working Party published an Opinion finding that Uruguay ensures an adequate level of protection within the meaning of the European Data Protection Directive (Article 25(6) of Directive 95/46/EC).
This Opinion was issued pursuant to an official request Uruguay filed with the European Commission in October 2008. While the Article 29 Working Party’s Opinion is an important step toward adequacy, the European Commission must now make a formal decision that the Uruguayan legal framework provides an adequate level of data protection under EU data protection law. The European Commission will take the Article 29 Working Party’s Opinion into account when determining whether to issue an “adequacy decision” in the coming months. As recently illustrated by the adequacy procedure for Israel, this process may prove to be difficult.
A decision from the European Commission would provide that data transfers to Uruguay from the EU are adequately protected for purposes of compliance with the Directive, thereby easing the free flow of information from the European Union to Uruguay. This would benefit Uruguay’s outsourcing industry, providing an incentive for EU-based companies to outsource some of their data processing activities to Uruguay, while reassuring European citizens that their personal data will be adequately protected.
Under the EU Data Protection Directive, the transfer of personal data outside of Europe is prohibited unless the recipient country is considered by the European Commission to provide an “adequate” level of data protection, or if the data controller has implemented a proper mechanism to ensure an adequate level of protection (e.g., model contracts or binding corporate rules). To date, the European Commission has recognized Argentina, Faeroe Islands, Guernsey, Jersey, the Isle of Man, Switzerland, the Canadian Personal Information Protection and Electronic Documents Act and the U.S. Department of Commerce Safe Harbor Privacy Principles, as providing adequate protection.